Channels

Services

Apple fixes iOS App Store man-in-the-middle hole

Apple has fixed a security problem that had existed for some time in its App Store application on iOS (iPhone, iPod Touch, iPad). In July 2012, Google researcher Elie Bursztein found and reported to Apple that there were numerous vulnerabilities in its App Store app because it used unencrypted communications to talk to Apple's servers. This left users vulnerable to Man-in-the-Middle (MitM) attacks that could allow an attacker to steal passwords or other information. Apple has now announced that it is using HTTPS to communicate between the App Store app and its servers, and Bursztein has taken the opportunity to show how various attacks could have been carried out using a MitM.

As well as the obvious password stealing attack – carried out by injecting a script which generates a fake dialog requesting a password into the software updates page – Bursztein shows how an attacker could trick users into buying apps, push fake upgrades, prevent apps from being installed, or see which apps are installed. That latter issue doesn't appear to be that important but Bursztein points out it could reveal, by the selection of apps, which bank or other services the victim uses.

Elie Bursztein demonstrates how a password could stolen through the App Store app and a man-in-the-middle attack.

Apple began encrypting content on the 23 January, according to its Apple Web Server notifications page, where issues and fixes for Apple's backend services are documented; it does appear though that this is only for itunes.apple.com. As well as Bursztein, Apple also thanked Bernhard "Bruhns" Brehm of Recurity Labs and Rahul Iyer of Bejoi LLC for reporting the issue. Why it took Apple over six months to fix the issue is unclear, but it does show how important it is for native applications to use secure communications to servers and how vulnerable they can be to such attacks if they do not.